Microsoft Knowledge Base article Q254150 contains:
With the advanced installation of Certificate Services, an administrator can choose which cryptographic service provider (CSP) the Certification Authority (CA) uses for cryptographic operations. Although the Microsoft Enhanced CSP appears to be an available option, the Microsoft Enhanced CSP is not supported for use on the key pair for the CA.
MORE INFORMATIONThere is no advantage or cryptographic strength increase in using the Microsoft Enhanced CSP to generate the CA's key pair. A CA performs only signing operations, which have the same limits in the Microsoft Base CSP and the Microsoft Enhanced CSP.
The primary difference between the Microsoft Base CSP and the Microsoft Enhanced CSP is the supported key size for data encryption operations. The Base CSP supports a maximum encryption key length of 1,024 bits, and the Enhanced CSP supports a maximum encryption key length of 16,384 bits.
A CA performs signing operations on issued certificates, Certificate Revocation Lists (CRLs), and the Certificate Services database. A Certification Authority (CA) does not perform any encryption operations. There is no benefit in using the Microsoft Enhanced CSP provider with Certificate Services. The maximum key length for digital signature operations for both CSPs is 16,384 bits.
There is no relationship between the signing technology that is used by the CA and the encryption capabilities of a client. A client can choose to use any supported key length for data encryption regardless of the length of the Certification Authority's key.
If Certificate Services has already been installed with the Microsoft Enhanced CSP, you can back up the CA certificate and private key and reinstall the CA. After the CA is reinstalled, select the Microsoft Base Cryptographic Service Provider, and then choose to use an existing keyset.
For information about how to back up, remove, and reinstall the Certification Authority, see: